Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.[1][2]

ID: S0504
Associated Software: Anchor_DNS
Platforms: Linux, Windows
Contributors: Cybereason Nocturnus, @nocturnus
Version: 1.1
Created: 10 September 2020
Last Modified: 04 December 2023

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Anchor has used HTTP and HTTPS in C2 communications.[1]

.004 Application Layer Protocol: DNS

Variants of Anchor can use DNS tunneling to communicate with C2.[1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Anchor has used cmd.exe to run its self deletion routine.[1]

.004 Command and Scripting Interpreter: Unix Shell

Anchor can execute payloads via shell scripting.[2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Anchor can establish persistence by creating a service.[1]

Enterprise T1480 Execution Guardrails

Anchor can terminate itself if specific execution flags are not present.[1]

Enterprise T1008 Fallback Channels

Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.[1]

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Anchor has used NTFS to hide files.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Anchor can self delete its dropper after the malware is successfully deployed.[1]

Enterprise T1105 Ingress Tool Transfer

Anchor can download additional payloads.[1][2]

Enterprise T1095 Non-Application Layer Protocol

Anchor has used ICMP in C2 communications.[1]

Enterprise T1027 Obfuscated Files or Information

Anchor has obfuscated code with stack strings and string encryption.[1]

.002 Software Packing

Anchor has come with a packed payload.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Anchor can support windows execution via SMB shares.[2]

Enterprise T1053 .003 Scheduled Task/Job: Cron

Anchor can install itself as a cron job.[2]

.005 Scheduled Task/Job: Scheduled Task

Anchor can create a scheduled task for persistence.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Anchor has been signed with valid certificates to evade detection by security tools.[1]

Enterprise T1082 System Information Discovery

Anchor can determine the hostname and linux version on a compromised host.[2]

Enterprise T1016 System Network Configuration Discovery

Anchor can determine the public IP and location of a compromised host.[2]

Enterprise T1569 .002 System Services: Service Execution

Anchor can create and execute services to load its payload.[1][2]

Groups That Use This Software

ID Name References
G0102 Wizard Spider